introductory cobit presentation

8/7/2019 Introductory COBIT Presentation

1/42

2007 IT Governance Institute. All rights rese rved. 1

Introductory COBIT Presentation

Overview of IT Governance and

the COBIT Framework


2/42


Organisations require a structured approach for managing these and other

challenges.

This will ensure that there are agreed objectives for IT, good management controls

in place and effective monitoring of performance to keep on track and avoid

unexpected outcomes.

The Need for IT Governance

Keeping

IT Running

Security

Value/Cost

Managing

Complexity

Aligning

IT withBusiness

Regulatory

Compliance


3/42


Enterprise governance is a set ofresponsibilities and practices exercised by the

board and executive management with the goal

of:

Providing strategic direction

Ensuring that objectives are achieved

Ascertaining that risks are managed appropriately

Verifying that the enterprises resources are used

responsibly

The Need for IT Governance

PERFORMANCE

MEASUREMENT

RESOURCEMANAGEMENT

RISK

MANAGEMENT

VALUEDELIVERY

STRATE

GIC

ALIGNM

ENT

www.itgi.orgwww.itgi.org


4/42


IT governance is:

The responsibility of the board of directors and

executive management

An integral part of enterprise governance,

consisting of the leadership, organisational

structures and processes that ensure that theenterprises IT sustains and extends the

organisations strategies and objectives

IT Governance, as Defined by ITGI

PERFORMANCE

MEASUREMENT

RESOURCEMANAGEMENT

RISK

MANAGEMENT

VALUEDELIVERY

STRATE

GIC

ALIGNM

ENT

www.itgi.orgwww.itgi.org

64% Doing something about it

64% Doing something about it

42% Not doing something about it

42% Not doing something about it2003

2005

Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005

36%

58%


5/42


Enterprise governance is about: Conformance

Adhering to legislation, internal policies,

audit requirements, etc.

Performance Improving profitability, efficiency,

effectiveness, growth, etc.

Enterprise Governance Drives IT Governance

Enterprise governance and IT governance require a balance between conformance and

performance goals directed by the board.

Performance

Conformance


6/42


IT Governance Focus Areas

Value delivery

Focuses on ensuring the linkage of business and IT plans;

on defining, maintaining and validating the IT value proposition;

and on aligning IT operations with enterprise operations

Is about executing the value proposition throughout the delivery cycle, ensuring

that IT delivers thepromised benefits against the strategy, concentrating on

optimising costs and proving the intrinsic value of IT

Is about the optimal investment in, and the proper management of, critical IT

resources: applications, information, infrastructure and people. Key issues

relate to the optimisation of knowledge and infrastructure.

Requires risk awareness by senior corporate officers, a clear understanding of

the enterprises appetite for risk, understanding ofcompliance requirements,

transparency about the significant risks to the enterprise, and embedding ofrisk management responsibilities in the organisation

Tracks and monitors strategy implementation, project completion, resource

usage, process performance and service delivery, using, for example, balanced

scorecards that translate strategy into action to achieve goals measurable

beyond conventional accounting

Performance

measurement

Risk management

Resource

management

Strategic

alignment


7/422007 IT Governance Institute. All rights rese rved. 7

To make an IT governance implementation project successful:

Make IT governance a workable solutionable to deal with the challenges and pitfalls presented by

IT.

Focus as much on improving performance and enabling competitive advantage as preventing

problems.

Make IT governance a shared responsibility between the business (customer) and the IT serviceprovider, with the full commitment and direction of the board.

Align IT governance within a wider enterprise governance scheme.

Boards and executive management need to extend enterprise governance to include IT, provide the

necessary leadership and organisational structures, and insist on well-managed and properly

controlled processes.

Making IT Governance Work



IT Governance Stakeholders

Business management

Set direction for IT, monitor results and insist on correctivemeasures

Defines business requirements for IT and ensures that

value is delivered and risks are managed

Delivers and improves IT services as required by thebusiness

Provides independent assurance to demonstrate that ITdelivers what is needed

Measures compliance with policies and focuses on alerts to

new risks

Risk and

compliance

IT audit

IT management

Board and

executive



COBIT:

Starts from business requirements

Is process-oriented, organising IT activities into a generally

accepted process model

Identifies the major IT resources to be leveraged

Defines the management control objectives to be considered

Incorporates major international standards

Has become the de facto standard for overall control of IT

COBIT helps bridge the gaps between business risks, control needs and technical issues. It

provides good practices across a domain and process framework and presents activities in a

manageable and logical structure.

IT resources need to be managed by a set of naturally groupedprocesses. COBIT provides a framework that achieves this

objective.

COBIT Provides a Framework for IT Governance



COBIT brings the following

advantages to an IT governance

implementation effort:

Enables mapping of IT goals to business goals

and vice versa

Better alignment, based on a business focus

A view of what IT does that is understandable to

management

Clear ownership and responsibilities based on

process orientation

General acceptability with third parties and

regulators

Shared understanding amongst all stakeholders,based on a common language

Fulfilment of the COSO requirements for the IT

control environment

How Does COBIT Help Implement Effective IT Governance?



Organisations will consider and use a variety of IT models, standards and best practices.

These must be understood in order to consider how they can be used together, with COBITacting as the consolidator (umbrella).

COBIT

ISO 9000

ISO 17799

ITIL

COSO

WHAT HOW

COBIT and Other IT Management Frameworks

SCOPE OF COVERAGE



PERFORMANCE:

Business Goals

CONFORMANCE

Basel II, Sarbanes-Oxley Act, etc.

Enterprise Governance

IT Governance

ISO

9001:2000

ISO

17799

ISO

20000Best Practice Standards

QA

ProceduresProcesses and Procedures

Drivers

COBIT

COSO

Security

PrinciplesITIL

Balanced

Scorecard

Where Does COBIT Fit?



COBIT Framework

The COBIT framework was created with the main characteristics:

Business-focused

Process-oriented

Controls-based

Measurement-driven

The acronym COBIT stands forControl Objectives for Information and related Technology.

COBIT Framework Characteristics



For latest updates on COBIT, log on to www.isaca.org/cobit.

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 1

Audit

1996

Evo

luti

on

COBIT: An IT Control Framework



COBIT:

Has internationally accepted good practices

Is management-oriented

Is supported by tools and training

Is freely downloadable

Allows the knowledge of expert volunteers to be shared and leveraged

Continually evolves Is maintained by a reputable not-for-profit organisation

Maps 100 percent to COSO

Maps strongly to all major, related standards

Is a reference, not an off-the-shelf cure

Enterprises still need to analyse control requirements and customise COBIT based on their:

Value drivers

Risk profile

IT infrastructure, organisation and project portfolio

COBIT: Value and Limitations



COBIT Components

An organisation depends on reliable and timely data and information. COBIT components provide a

comprehensive framework for delivering value while managing risk and control over data and

information.

Business Strategy

Information

Criteria

IT Resources

IT Processes



COBIT: Advantages

Some of the advantages of adopting COBIT are:

COBIT is aligned with other standards and good practices and should be used together with them.

COBITs framework and supporting best practices provide a well-managed and flexible IT

environment in an organisation.

COBIT provides a control environment that is responsive to business needs and serves

management and audit functions in terms of their control responsibilities.

COBIT provides tools to help manage IT activities.



COBIT and IT Governance

COBIT focuses on improving IT governance in organisations.

COBIT provides a framework to manage and control IT activities and supports five requirements for

a control framework.

Has general

acceptability

amongst

organisations

Helps meet

regulatory

requirements

Control

Framework

Defines a

common

language

Provides

sharper

business

Ensures

process

orientation

focus



COBIT and IT Governance (Cont.)

Business Focus

COBIT achieves sharper business focus

by aligning IT with business objectives.

The measurement of IT performance

should focus on ITs contribution to

enabling and extending the business

strategy.

COBIT, supported by appropriate

business-focused metrics, can ensure

that the primary focus is value delivery

and not technical excellence as an end

in itself.

Has general

acceptabilityamongst

organisations

Defines a

common

language

Ensures

process

orientation

Helps meet

regulatory

requirements

Providessharper

business

Control

Framework

focus




Process Orientation

When organisations implement COBIT,

their focus is more process-oriented.

Incidents and problems no longer divert

attention from processes.

Exceptions can be clearly defined as

part of standard processes.

With process ownership defined,assigned and accepted, the organisation

is better able to maintain control

through periods of rapid change or

organisationalcrisis.

Has general


organisations

Defines a

common

language

Helps meet

regulatory

requirements

Providessharper

business

Ensuresprocess

orientation

Control

Framework

focus




General Acceptability

COBIT is a proven and globally

accepted standard for increasing thecontribution of IT to organisational

success.

The framework continues to improve

and develop to keep pace with good

practices.

IT professionals from all over the world

contribute their ideas and time to

regular review meetings.

Has general


organisations

Defines a

common

language

Helps meet

regulatory

requirements

Providessharper

business

Ensuresprocess

orientation

Control

Framework

focus




Regulatory Requirements

Recent corporate scandals have

increased regulatory pressures onboards of directors to report their status

and ensure that internal controls are

appropriate. This pressure covers IT

controls as well.

Organisations constantly need to

improve IT performance anddemonstrate adequate controls over

their IT activities.

Many IT managers, advisors and

auditors are turning to COBIT as the de

facto response to regulatory IT

requirements.

Has general


organisations

Defines a

common

language

Providessharper

business

Ensures

process

orientation

Helps meet

regulatory

requirements

Control

Framework

focus




Common Language

A framework helps get everybody on

the same page by defining critical termsand providing a glossary.

Co-ordination within and across project

teams and organisations can play a key

role in the success of any project.

Common language helps build

confidence and trust.

Has general


organisations

Providessharper

business

Ensures

process

orientation

Defines a

common

language

Helps meet

regulatory

requirements

Control

Framework

focus


24/42


COBIT: Premise

The COBIT framework is based on the premise that IT needs to deliver the information that an

enterprise requires to achieve its objectives.

i

IT Resources

and Processes

Information

Business

Processes

Business

Objectives

provide

to

for achieving

The COBIT framework helps align IT with the business by focusing on business information

requirements and organising IT resources. COBIT provides the framework and guidance to

implement IT governance.


25/42


COBIT: Principle

The principle of the COBIT framework is to link managements IT expectations with managements IT

responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT

risks.

Business Strategy

Information

Criteria

IT Resources

IT Processes


26/42


COBIT Framework

As a control and governance framework for IT, COBIT focuses on two key areas:

Providing the information required to support business objectives and requirements

Treating information as the result of the combined application of IT-related resources that need

to be managed by IT processes

Processes

Activities

Domains

IT Processes

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

IT Resources

Applications

Information

Infrastructure

People

IT Process

Business Requirement

Control Approach

Consideration ....

Information Criteria


27/42


COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to

achieve its objectives.

For controlling this delivery, COBIT provides three key components, each forming a dimension of theCOBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes


28/42


COBITCube:IT Processes

COBIT describes the IT life cycle with the help of four domains:

Plan and Organise

Acquire and Implement

Deliver and Support

Monitor and Evaluate

Processes are series of activities with natural control breaks. There are 34 processes across the four

domains. These processes specify what the business needs to achieve its objectives. The delivery of

information is controlled through 34 IT processes.

Activities are actions that are required to achieve measurable results. Moreover, activities have life

cycles and include many discrete tasks.

Processes

Activities

Domains IT Resources


IT Processes


29/42


COBIT Cube:IT Domains

Plan and Organise (PO)

Objectives:

Formulating strategy and tactics

Identifying how IT can best contribute to achieving business objectives

Planning, communicating and managing the realisation of the strategic vision

Implementing organisational and technological infrastructure

Scope:

Are IT and the business strategically aligned?

Is the enterprise achieving optimum use of its resources?

Does everyone in the organisation understand the IT objectives?

Are IT risks understood and being managed?

Is the quality of IT systems appropriate for business needs?

IT and Business

C C b i (C )


30/42


Lets look at the COBIT process model, which consists of 34 IT processes defined within the four IT

domains.

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes, organisation

and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims and

direction.

PO7 Manage IT human resources.PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

Plan and Organise

COBIT Cube:IT Domains (Cont.)

Plan and

Organise

Deliver and

Support

Acquire and

Implement

Monitor and

Evaluate

IT Processes

C T C b IT D i (C )


31/42



Acquire and Implement (AI)

Objectives:

Identifying, developing or acquiring, implementing, and integrating IT solutions

Changes in and maintenance of existing systems

Scope:

Are new projects likely to deliver solutions that meet business needs?

Are new projects likely to be delivered on time and within budget?

Will the new systems work properly when implemented?

Will changes be made without upsetting current business operations?

New Projects Organisation

?

C T C b IT D i (C )


32/42



Plan and

Organise

Deliver and

Support

Acquire and

Implement

Monitor and

Evaluate

IT Processes

AI1 Identify automated solutions.

AI2 Acquire and maintain application

software.

AI3 Acquire and maintain technology

infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions andchanges.

Acquire and Implement

C T C b IT D i (C t )


33/42



Deliver and Support (DS)

Objectives:

The actual delivery of required services, including service delivery

The management of security, continuity, data and operational facilities

Service support for users

Scope:

Are IT services being delivered in line with business priorities?

Are IT costs optimised?

Is the workforce able to use IT systems productively and safely?

Are adequate confidentiality, integrity and availability in place?

IT Services Business Priorities

COBIT C b IT D i (C t )


34/42



DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.

Deliver and Support

Plan and

Organise

Deliver and

Support

Acquire and

Implement

Monitor and

Evaluate

IT Processes



35/42



Monitor and Evaluate (ME)

Objectives:

Performance management

Monitoring of internal control

Regulatory compliance

Governance

Scope:

Is ITs performance measured to detect problems before it is too late?

Does management ensure that internal controls are effective and efficient?

Can IT performance be linked to business goals?

Are risk, control, compliance and performance measured and reported?

IT Performance



36/42


ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

Monitor and Evaluate


Plan and

Organise

Deliver and

Support

Acquire and

Implement

Monitor and

Evaluate

IT Processes

COBIT Cube: Information Criteria


37/42


COBIT Cube:Information Criteria

To satisfy business objectives, information needs to conform to specific control criteria, which

COBIT refers to as business requirements for information.

Broadly, information criteria are based on the following requirements:

Quality

Fiduciary

Security

Fiduciary Requirements

Security Requirements

Quality Requirements


IT Resources

IT Processes

COBIT Cube: Information Criteria (Cont )


38/42


COBIT Cube:Information Criteria (Cont.)

Effectiveness

Deals with information being relevant and pertinent to the business

process as well as being delivered in a timely, correct, consistent

and usable manner

EfficiencyConcerns the provision of information through the optimal

(most productive and economical) use of resources

ConfidentialityConcerns the protection of sensitive information

from unauthorised disclosure

IntegrityRelates to the accuracy and completeness of information aswell as to its validity in accordance with business values

and expectations

Availability

Relates to information being available when required by the business process

now and in the future. It also concerns the safeguarding of necessary resources

and associated capabilities.

ComplianceDeals with complying with those laws, regulations and contractual arrangements to which the

business process is subject, i.e., externally imposed business criteria as well as internal policies

ReliabilityRelates to the provision of appropriate information for management to operate the entity and to

exercise its fiduciary and governance responsibilities

Fiduciary Requirements

Security Requirements

Quality Requirements


IT Resources

IT Processes

COBIT Cube: IT Resources


39/42


COBIT Cube:IT Resources

IT processes manage IT resources to generate, deliver and store the information that the

organisation needs to achieve its objectives.

The IT resources identified in COBIT are defined as:

Applications are automated user systems and manual procedures that process information.

Information is data that are input, processed and output by information systems, in whatever

form used by the business.

Infrastructure includes the technology and facilities, such as hardware, operating systems and

networking, that enable the processing of applications. People are the personnel required to plan, organise, acquire, implement, deliver, support,

monitor and evaluate information systems and services. They may be internal, outsourced or

contracted, as required.

Applications

Information

Infrastructure

People

IT Resources


IT Processes

COBIT Framework


40/42


BUSINESS OBJECTIVES AND

GOVERNANCE OBJECTIVES

Efficiency

Applications

Information

InfrastructurePeople

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

IT

RESOURCES

C O B I TF R A M E W O R K

Effectiveness

Confidentiality

Integrity

Availability

Compliance

DS1 Define and manage service

levels.

DS2 Manage third-party services.

DS3 Manage performance and

capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and

incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical

environment.

DS13 Manage operations.

ME1 Monitor and evaluate IT

performance.

ME2 Monitor and evaluate internal

control.

ME3 Ensure compliance with

external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.

PO2 Define the information

architecture.

PO3 Determine technological

direction.

PO4 Define the IT processes,

organisation and relationships.PO5 Manage the IT investment.

PO6 Communicate management aims

and direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application

software.

AI3 Acquire and maintain technology

infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and

changes.

PLAN

AND

ORGANISE

Reliability

COBIT Framework


41/42


COBIT Cube

IT resources are managed by IT processes to achieve IT goals that respond to the

business requirements. This is the basic principle of the COBIT framework, as

illustrated by the COBIT cube.


42/42

Interrelationship of the COBIT Components

introductory cobit presentation

Documents